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Abstract 

In this article, we examine how clausal resolution can be applied to a 
specific, but widely used, non-classical logic, namely discrete linear temporal 
logic. Thus, we first define a normal form for temporal formulae and show 
how arbitrary temporal formulae can be translated into the normal form, 
while preserving satisfiability. We then introduce novel resolution rules that 
can be applied to formulae in this normal form, provide a range of examples 
and examine the correctness and complexity of this approach. Finally, we 
describe related work and future developments concerning this work. 



1 Introduction 

Temporal logic is a non-classical logic that was originally developed in order to 



represent tense in natural language [Pri67|. More recently, it has achieved a signif- 
icant rol e in the formal specification and verification of concurrent an d distr ibuted 
systems [ Pnu77 |. It is commonly recognised that such reactive systems [ EIP85| repre- 
sent one of the most important classes of systems in computer science and, although 
analysis of these sys tems is difficult , it ha s been successfully tackled using modal 
and temporal logics | Pnu77 , Emc9C| , 3ti92|. In particular, a number of useful con- 
cepts, such as safety, l iveness and fai rness can be formally, and concisely, specified 
using temporal logics | MP92 , Emc90 |. 

There are now a wide variety of temporal logics, differing in both their underly- 
ing model of time (for example, branching [ES88| versus linear [ Pnu77| , MP9^, and 
dense [BG85| versus discrete) and their intended area of application (for example, 
program specification | MP92| , temporal databases |ran93|, knowledge representa- 



tion [AF99|, executable temporal logics [BFG+9(:], natural language |Ste97|). In 



this paper we concentrate on a specific but widely used temporal logic, Proposi- 
tional Linear Temporal Logic (PLTL), a discrete, linear temporal logic with finite 



past and infinite future; see for example |GPSS80, MP92, MP95 



Given a specification of some computational system in PLTL, we may want to 
establish that particular properties of the specification hold. Thus, for concurrent 
systems, we must often show the absence of deadlock, preservation of mutual ex- 
clusion, etc (see for example [ Lam83| ). There are two main approaches to temporal 
verification that could be used here. If we can generate a finite-state structure 
repres enting all models of the system, then model checking techniques can be ap- 
plied | Hol97 |. Model checking involves establishing that a specific temporal formula 
is satisfied in the set of models representing the system. An alternative approach 
involves direct proof in PLTL. We consider this second approach since not only 
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may it be the case that models are not readily available but, even if they are, many 
systems we are interested in have very large, sometimes infinite, state spaces. Im- 
portantly, the use of direct proof methods may obviate the need to traverse all of a 
possible model structure. 

The development of proof methods for temporal logic have followed three main 
approaches: tableaux, automata and resolution. To show a formula Lp valid, each of 
these methods is applied to the negation of i.e. -k/j. Tableaux-based approaches, 
for example |Wol83, Gou84|, attempt to systematically construct a structure from 
which a model can be extracted for -up. The inability to construct such a model 
means that is unsatisfiable and therefore tp is valid. The use of automata-based 
approaches depends on the fact that models for PLTL are simply infinite sequences 
of choices for truth values of proposition symbols. That is, an interpretation of 
a PLTL formula can be viewed as an infinite word over the alphabet that is the 
powerset of proposition symbols. Translations from PLTL into Biichi Automata 
are given in |SVW87f| . If the automaton for -^Lp is empty then it accepts no infinite 
words, hence ^ip is unsatisfiable and Lp is valid. 

Resolution-based approaches to proof in PLTL fall into two main classes: non- 
clausal and clausal. A non-cl ausal m ethod described in [AM85], and extended to 
first-order temporal logic in |AM90|, requires a large number of resolution rules, 
making implementation of this method difficult. Clausal resolution was suggested 
as a proof method for classical logic by Robinson |Rob65| and was claimed to be 
machine oriented, i.e. suitable to be performed by computer as it has one rule of 
inference that may be applied many times. Again, to show a formula Lp is valid, it 
is negated and -k/J is translated into a normal form. The resolution inference rule is 
applied until either no new inferences can be made or a contradiction is obtained. 
The generation of a contradiction means that -up is unsatisfiable and therefore p 
valid. 

Since clausal resolution is a simple and adaptable proof method for classical 
logics with a bank of research into heuristics and strategies, it is perhaps surprising 
that few attempts have been made to extend this to temporal logics. However, 
discrete temporal logics, such as PLTL, are difficult to reason about as the interac- 
tion between the □ -operator (meaning always in the future) and the O -operator 
(meaning in the next moment in time) encodes a form of induction. Thus, a special 
temporal resolution rule is needed to handle this. There have been two previous at- 
tempts (known to the aut hors) at d eveloping clausal resolution for temporal logics. 
The method described in [ CFdC84 | is only applicable to a subset of the operators 
allowed in this paper, that is for a less expressive langu age, and contains a more 
complex normal form. The method described in [ Ven86| | is the closest to that de- 
scribed in this paper, the main difference being that the reasoning is carried out 
forward into the future while our approach involves reasoning backwards until a 
contradiction is generated in the initial state. Both of these are discussed further 
in§|. 

The development of the new resolution method described in this paper is mo- 
tivated not only by our wish to show that such a resolution system can be both 
simple and elegant, but also by our view that clausal resolution techniques will, 
in the future, provide the basis for the most efficient temporal theorem-provers. 
While, in previous years, the most sucessful theorem-provers for modal and tem- 
poral logics have been tableau-based (e .g. |IIor98 |), the use of resolution has now 
been shown to be at least competitive | IIS99( |. In the classical framework, clausal 
resolution has led to many refinements aimed at guiding the search for a refutation, 
for example, [ CL73| , WOLB84|. In addition, several efficient, fast, and widely used 
resolution-based theorem provers have been developed, for example Otter |McC94| 
and Spass |Wei97 . It is our view that a clausal temporal resolution system has 



the potential to utilise a range of such efficient improvements developed for both 



2 



classical and modal resolution. 

Thus, our approach is clausal. In particular, we define a very simple (and 
flexible) normal form, called Separated Normal Form (SNF), that removes all but 
a core set of temporal operators. Two types of resolution rule are then defined, one 
analogous to the classical resolution rule and the other a new temporal resolution 
rule. However, due to the interaction between the □ and O operators mentioned 
previously, the application of the temporal resolution rule is non-trivial, requiring 
specialised algorithms [Dix96]. It is not our intention here to analyse experimental 
results concerning use of the resolution method (which still remain part of our 
future work), but simply to provide a logically complete basis for clausal temporal 
resolution. While short reports on this work have appeared previously, notably 
in [Fis91|, this paper provides the first exposition of the full completeness result for 
this temporal resolution method. In addition, it provides important properties of 
the translation into the normal form, and presents a simpler future-time formulation 
of the method. 

The structure of the paper is as follows. In §^ we give the syntax and semantics 
of PLTL. In §||, we define the normal form (SNF), show how any PLTL formula 
may be translated into SNF and consider the properties of this translation. The 
resolution rules for formulae in SNF are given in § | while example refutations are 
provided in Issues of correctness and complexity are considered in §^ and §0, 
respectively. Related work is examined in ^ and conclusions and future work are 
provided in §^ 



2 Prepositional Temporal Logic 



Propositional Temporal Logic (PLTL) was originally developed from work on tense 
logics Pri67|, but has come to prominence through its application in the specifica- 
tion and verification of both software and hardware |Pnu77|. The particular variety 
of temporal logic we con sider is based on a linear, discrete model of time with finite 
past and infinite future | GPSS80 , LPZ85 . Thus, the temporal operators supplied 



operate over a sequence of distinct 'moments' in time. 

There are several ways to view this logic. One is as a classical propositional 
logic augmented with temporal connectives (or operators). An alternative char- 
acterisation can be given in terms of a multi-modal language with two different 
modalities, one representing the 'next' moment in time, the other representing all 
future moments in time ('O' and ' □' below, respectively). 

While it is possible to include past-time operators in the definition of the logic 
we choose not to do so in this exposition since, as models have a finite past, such 
operators add no extra expressive power | GPSS80 , LPZ85 |. However, if the addition 
of past-time operators makes the expression of certain properties easier (see, for 
example, |LPZ85|) they can be easily incorporated (see §|| for more details). 

The future-time connectives that we use include '<()'' {sometime in the future), 
' □' {always in the future), 'O' {in the next moment in time), ' W ' {until), and ' W ' 
{unless, or weak until). To assist readers who may be unfamiliar with the semantics 
of the temporal operators we introduce, in the next section, all operators as basic. 
Alternatively we could have provided the syntax and semantics of just a subset of 
the operators and introduced the remainder as abbreviations. 



2.1 Syntax 

PLTL formulae are constructed from the following elements. 
• A set, V, of propositional symbols. 
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• Propositional connectives, true, false, -i, V, A, and 



• Temporal connectives, O, (}, □, and W . 

The set of well- formed formulae of PLTL, denoted by wff, is inductively defined 
as the smallest set satisfying the following. 



Any element of V is in wff. 
true and false are in wff. 
If A and B arc in wff then so are 

-^A Ay B AaB A^B <}A BA AUB AW B OA. 

A literal is defined as either a proposition symbol or the negation of a proposition 
symbol. 

An eventuality is defined as a formula of the form (}A. 
2.2 Semantics 

PLTL is interpreted over discrete, linear structures, for example the natural num- 
bers, N. A model of PLTL, cr, can be characterised as a sequence of states 

a = So, Si,S2,S3, . . . 

where each state, Si, is a set of proposition symbols, representing those proposition 
symbols which are satisfied in the z*'* moment in time. As formulae in PLTL are 
interpreted at a particular state in the sequence (i.e. at a particular moment in 
time), the notation 

denotes the truth (or otherwise) of formula A in the model a at state index i G N. 
For any formula A, model a and state index i G N, then cither (tr, i) ^ A holds 
or (cr, i) 1= A does not hold, denoted by (cr, i) ^ A. If there is some a such that 
(cr, 0) ^ A^ then A is said to be satisfiable. If (ct, 0) ^ A for all models, a, then A is 
said to be valid and is written |= A. Note that formulae here are interpreted at sq; 



this is an alternative, but equivalent, definition to the one commonly used [Eme90 



The semantics of wff can now be given, as follows. 



(cr,i) 


hp 


iff 


p <E Si [where p € V] 


(cr, i) 


^ true 






(cr, i) 


^ false 






(a, i) 


^ AhB 


iff 


(cr, i)^ A and (cr, i) B 


(cr,i) 


^AyB 


iff 


(cr, i)^ AOY (cr, i)^ B 


(cr, i) 


\^A^B 


iff 


(cr, i) [= -^A or (cr, i) h 


(cr, i) 




iff 


M^A 


(cr, i) 


h OA 


iff 


{a,i + \)^A 


(cr, i) 




iff 


there exists a A: G N such that k'^ i and (cr, fc) |= ^ 


(cr,i) 


h UA 


iff 


for all j G N, if j > « then (a, j) |= A 


(cr, i) 


h AUB 


iff 


there exists a /c G N, such that fc ^ i and (cr, k) \= B 
and for all j G N, if i < j < fc then (ct, j) |= A 




h AWB 


iff 


(cr,i) ^AUBoY (cr,i) ^ n^l 
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2.3 Proof Theory 

The standard axioms and inference rules for PLTL are as follows (taking the tem- 
poral operators O , CH and lA as primitive and the remaining as abbreviations-see 



2.3.1 ). The axioms are all substitution instances of the following: 



1. 


all classical tautologies, 




2. 


h 




> DB) 


3. 


h 






4. 


h 






5. 


h 


0{A^B) => (OA^ 


OB) 


6. 


h 


BA^ AAODA 




7. 


h 


□ (A^ OA) ^{A^ 


DA) 


8. 


h 


{AUB) => Ob 




9. 


h 


(AUB) ^{BV{AA 0{AUB))) 


10. 


h 


{B\/{AA 0{AUB))) 


=^ (AUB) 



The inference rules are modus ponens 

h A h A^ B 



and generalization 



h B 
hA 



h DA 

Theorem 1 iGPSSSdjl (Soundness) If\-A then A is valid in PLTL. 



Theorem 2 IGPSSSO^ (Completeness ) If A is valid in PLTL then \- A. 



A complete axiom system for PLTL with future-time temporal operators is given 



in I GPSS8C | . The axiom system presented here is slightly different from the original 
due to slight differences in the semantics of the connectives used. We note that it 
is difficult to use such an axiom system for automated theorem proving as it is not 
always clear which step should be taken next to move towards a proof. 

2.3.1 Some Equivalences 

To assist the understanding of the translation to the normal form given in ^ we 
list some equivalent PLTL formulae. 



0{AAB) = 


OAaOB 


-^OA = 


O^A 


UA = 


AAO DA 


OA ^ 


AvO<>A 


^UA = 


O^A 


[AUB) = 


BV{AA 0{AUB)) 


(AUB) EE 


[AWB) A Ob 


-^{AUB) = 


-nBWi^AA^B) 


(AWB) = 


BW {AaO{AWB)) 


-^(AWB) = 


-^bu{-^aa^b) 



These are standard and are given in | Gou84l for example. 
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3 A Normal Form for Propositional Temporal Logic 



3.1 Separated Normal Form 

The resolution method is clausal, and so works on formulae transformed into a 
normal form. The normal form, called Separated Normal Form (SNF), was in- 
spired by (but does not require) Gabbay's separation result |Gab87|, which states 
that temporal formulae can be transformed into their past, present and future-time 
components. The normal form we present comprises formulae that are implications 
with present-time formulae on the left-hand side and (present or) future-time for- 
mulae on the right-hand side. The transformation into the normal form reduces 
most of the temporal operators to a core set and rewrites formulae to be in a par- 
ticular form. The transformation into SNF depends on three main operations: the 
renaming of complex subformulac; the removal of temporal operators; and classical 
style rewrite operations. 



Renaming, as suggested in [PG86|, is a way of preserving the structure of a 
formula when translating into a normal form in classical logic. Here, complex 
subformulae can be replaced by a new proposition symbol and the truth value 
of the new proposition symbol is linked to the subformula it represents at all points 
in time. The removal of temporal operators is carried out by using (fixed point) 
equivalences, for example 

□p = (p A O Dp) 

that 'unwind' the temporal operators to give formulae that need to hold both now 
and in the future. Classical rewrite operations allow us to manipulate formulae into 
the required form. 

To assist in the definition of the normal form we introduce a further (nuUary) 
connective start, that holds only at the beginning of time, i.e. 

(cr, i) ^ start iff i = 0. 

This allows the general form of the (PLTL-clauses of the) normal form to be im- 
plications. An alternative would be to allow disjunctions of literals as part of the 
normal form representing the clauses holding at the beginning of time. 

Formulae in SNF are of the general form 



i 

where each Ai is known as a PLTL-clause (analogous to a 'clause' in classical logic) 
and must be one of the following forms with each particular ka^ kt, Ic, Id and I 
representing a literal. 

start \f Ic (an initial PLTL-clause) 

c 

/\ka =^ Oy Id (a step PLTL-clause) 

a d 

/\kb ^ (^l (a sometime PLTL-clause) 



For convenience, the outer '□' and 'A' connectives are usually omitted, and the 
set of PLTL-clauses {Ai] is considered. Different variants of the normal form have 
been suggested |Fis92, FN92, Fis97 . For example, where PLTL is extended to allow 
past-time operators the normal form has start or O A (where ' O ' means in the 
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previous moment in time and ^ is a conjunction of literals) on the left-hand side 
of the PLTL-clauses and a present-time formula or eventuality (i.e. ''0'^') on the 
right-hand side. Other versions allow PLTL-clauses of the form start These 
are all expressively equivalent when models with finite past are considered. 

To apply the temporal resolution rule (see §^^), one or more step PLTL-clauses 
may need to be combined. Consequently, a variant on SNF called merged-SNF 
(SNFm) p^is91| , is also defined. Given a set of PLTL-clauses in SNF, any PLTL- 
clause in SNF is also a PLTL-clause in SNF^. Any two PLTL-clauses in SNF^ 
may be combined to produce a PLTL-clause in SNF^ as follows. 

A ^ OC 
B => OP 
(AAB) => 0{CAD) 

Thus, any possible conjunctive combination of SNF PLTL-clauses can be repre- 
sented in SNFm. 



3.2 Translation into SNF 



In this section, we review the translation of an arbitrary PLTL formula into the 



normal form (this extends the exposition provided in [Fis97|). The procedure uses 
the technique of renaming complex subformulae by a new proposition symbol and 
the truth value of the new proposition symbol is linked to that of the renamed 
formula at all moments in time. Thus, in the exposition below the new proposition 
symbols introduced, namely those indicated by v, y and z must be new at each 
iteration of the procedure. In the remainder of §^ we show such new proposition 
symbols in bold face type. 

Take any formula A of PLTL and translate into SNF by applying the tq and ti 
transformations described below (where y is a new proposition symbol). 



ro[A] 



□ (start ^ y) A ri [ □ (y ^ A)] 



Next, we give the ri transformation where x is a proposition symbol. If the main 
operator on the right of the implication is a classical operator (other than non- 
negated disjunction) remove it as follows. 



Ti[n{x ^ {A A B)) 
Ti[n{x ^ (A ^ B)) 
Ti[D{x ^ -^{AAB)) 
TilDix ^ ^{A =^ B)) 
Ti[n(.T => ^(AVB)) 



ri[n{x^A)]ATi[n{x^B)] 
Ti[n(x^ (-AVB))] 
ri[n(x^ (-AV-B))] 
ri[n{x=^ A)]ATi[n(x^^B)] 
Ti [ □ (.T ^ ^A)] A Ti [ □ (a; ^ ^B)] 



Complex subformulae enclosed in any temporal operators are renamed as follows 
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(where v, y and z are new proposition symbols). 

A neither hteral 

Ti[ □(a; OA)] — > nia; Oy) A ri[ □(y =4> A)] nor disjunction 

of literals. 

TiiDix^^OA)] ^ □(a:^ Oy) ATi[n(y ^-A)] 
Mnix^DA)] — > Ti[n(a; ^ Dy)] ATi[n(y ^ A)] A not a literal. 

Ti[n{x^^nA)] n{x^<>y)ATi[n{y^^A)] 

n [ □ (x <}A)] — > n{x^ <^y) A Ti [ □ (y ^ A)] A not a literal. 

Ti[n{x ^ ^OA)] ri[n(x^ Dy)] ATi[n(y^-A)] 

Ti[n{x ^ AU B)] — > Ti[n{x^yUB)]ATi[n{y^ A)] A not a literal. 

Ti[0{x ^ AH B)] — > Ti[Oix ^ AUy)] ATi[n{y ^ B)] B not a literal. 

Tiinix ^ ^{AU B))] Ti[n(x^(yWv))]Ari[n(y^-B)]A 

ri[n(v^ (yAz))] ATi[n(z^-A)] 

Ti[n{x^AWB)] — > Ti[0{x^yWB)]ATi[0{y^A)] A not a literal. 

Ti[n{x^AWB)] — > Ti[n{x ^ AWy)] ATi[n{y ^ B)] B not a literal. 

Ti[n{x^^iAWB))] ri[n(x^(yWv))]Ari[n(y^-B)]A 

Ti[n(v^ (yAz))] ATi[n(z^-A)] 

The negated W and U operators involve the introduction of three new proposition 
symbols. Consider the transformation applied to a; =^ ^{AU B). Applying the 
equivalence provided in §2.3.1 we have x {-^B W {^AA^B)). To avoid repeating 
the subformula -i_B in the translation, and so that the resultant unless operator is 
applied to proposition symbols we introduce three new variables, y replaces -^B, z 
replaces ^A, v replaces y A z. 

Then, any temporal operators, applied to literals, that are not allowed in the 
normal form are removed as follows (where, again, y is a new proposition symbol 
and I and m are literals). 



ri[n{x^ DO] 



Ti[\Z\{x ^ lU m) 





U{x - 




ri 


U{x = 


> y)]A 




□ (y - 


> Ol) A 




□ (y = 


> Oy) 




U{x = 


> (}m) A 


ri 


U{x - 


> (/Vm))]A 


ri 


U{x = 


> (yVm))]A 




□ (y = 


> 0(/Vm))A 




□ (y - 


> O(yVTO)) 


Tl 


n{x = 


> {lVm))]A 


ri 


U{x - 


> (yVm))]A 




□ (y = 


> 0(/Vto))A 




□ (y = 


> O(yVTO)) 



Next, we use renaming on formulae whose right-hand side has disjunction as its 
main operator but may not be in the correct form, where y is a new proposition 
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are literals). 






□ (start 




-'XV D) A 


□ (true 






□ (start 




true) A 


□ (true 




Otrue) 


□ (start 




-ix) A 


□ (true 




O-a;) 









symbol, D is a disjunction of formulae and A is neither a literal nor a disjunction 
of literals. 

n[U[x^VVA)\ ri[^(y ^ A)] 

Finally, we rewrite formulae, containing no temporal operators, whose right-hand 
side is a disjunction of literals, true or false (note that -itrue and -ifalse are 

rewritten to false and true respectively) into PLTL-clause form and stop applying 
the transformation to PLTL-clauses already in the correct form (where -D is a literal 



n [ □ (a; true)] - 
Ti [ □ (a; false)] - 

Ti[^(x=» 0(/i V...V/„))] n{x=> OihV ...Vln)) 

Thus, the above transformations are applied until the formula is in the form 

A OAi 

i 

where each Ai is one of the three required formats. This, in turn, is equivalent to 

n/\A. 

i 

3.3 Properties of the Translation to SNF 

Our aim is to show that the transformation is satisfiability preserving. This is shown 

in two parts. Firstly any model for a transformed formula is also a model for the 
original and secondly given a model for a PLTL formula there is always a model for 
its transformation into the normal form. 
Thus firstly, we show that 

h Mw] ^ w 

i.e. any model for the transformed formula is a model for the original. However 
before we show this we first prove a lemma. 

Lemma 1 For all PLTL formulae W 

hTi[U{x^W)]^ U{x^W) 
where x is a proposition symbol. 
Proof 
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The proof is carried out by induction on the structure of W. For the base cases we 
have the following. 



1. 
2. 



3. 



4. 



5. 



Tiinix^Oi)] 

ri[n(x^/i V...V 



Ti[n{x^ true)] 
n [ □ (a; ^ false)] 
Ti[n(x^ 0(^1 V...V L))] 



□ (start ^ -.a; V /i V ... V l„)A 

□ (true=> 0(-'a;VZi V... VZ„)) 

□ (a;=> (?! V...V/„)) 

□ (start => true) A 

□ (true Otrue) 

□ (a; =^> true) 

□ (start => -ix) A 

□ (true O^x) 

□ (x => false) 

□ (x^ 0(/i V...V/„)) 



Now, we assume that the lemma holds for A, B, -^A and -^B, e.g. ti [ □ (x 
A)] => □(.X ^ A), and show it holds for all combinations of operators or negated 
operators, e.g. A A B, ^{A A B), \3A, ^ \Z1A. Wc consider the cases for \3A, 
^OA, AW B and ^{AW B) and note that proofs for the other operators are 
similar (where v, w, y and z are new proposition symbols). 



n[n{x^ OA)] 



Ti[n{x^ Dy)] Ari[n(y^ A)] 
Ti[n(x^y)] Ari[n(x^z)] A D{z ^ Oy)A 
□ (z^ Oz) Ari[n(y ^^)] 

□ (start ^ -.a; V y) A □ (true ^ O ("la; V y) ) A 

□ (start -.a; V z) A □ (true O ("■a; V z)) A 

□ (z =^ Oy) A □(z ^ Oz) A □(y ^ A) 

n{x^ nA) 



where ri[ □(y ^ A)] => □(y => A) from the induction hypothesis. 

n[n{x^^nA)] = □(.x^^y)ATi[n(y=^-A)] 
=> □(x^^y) A □(y=^^A) 
^ nix^<>^A) 

^ nix^^nA) 

where ri[ □(y ^ ~'A)] =^ n(y => ^A) from the induction hypothesis. 

Ti[n{x ^ {AW B))] = Ti[n(.T^y>Vz)] ATi[n(y=^ A)] ATi[n(z^S)] 
= ri[n(x ^y Vz)] ATi[n(x^ wVz)]A 

□ (w=» 0(y Vz)) A □(w^ 0(wVz))A 

Ti[n(y^ A)] ATi[n(z^B)] 

^ □ (start -.a; V y V z) A □(true=» 0(-'a; V y V z))A 

□ (start -.X V w V z) A □ (true => O (^x V w V z))A 

□ (w=^ 0(y Vz)) A □(w^ 0(wVz))A 

□ (y ^ A) A □(z^B) 
^ n{x^{AWB)) 
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n[n{x ^ ^{AW B))] - ri[n(x^(yiYv)]ATi[n(v=»(yAz))]ATi[n(y^-S)]A 

ri[n(z^-^)] 
= Ti[n(.T ^ V Vy)] Ati[ □(x ^ V V w)] A □(a;^Ov)A 

□ (w O(vVy)) A □(w => 0(vVw))A 
ri[n(v^ (yAz))] Ari[n(y ^ -B)] Ari[n(z ^ {^A))] 

=> □(start ^ -.a; Vv Vy) A □(true =^ O ("la: V v V y))A 

□ (start ^ -.a; V V V w) A □ (true O (^.t V v V w)) A 
Dix^ <^v)A 

□ (w =^ O(vVy)) A □(w 0(vVw))A 

□ (start =^ -IV V y) A □ (start ^ -iv V z)A 

□ (true ^ O (-ivV y)) A □ (true ^ O (^W z))A 

□ (y^-B)A □(z^(-A)) 

=> nix ^ {{^B)yV i^AA^B))) A n{x ^ <)'{^AA^B)) 
=> nix^il^B)U{^AA^B))) 
^ n{x^^{AWB)) 

□ 

Lemma 2 For all PLTL formulae W 

[= To[W] W 

Proof 

For any PLTL formula W, the first step in the transformation is to anchor W to 
the first moment in time, i.e. to[VI^] — > □(start x) A ti [ □ (x =5> W)]. From 
Lemma Q we have shown that ti[ □(x Vt^)] □(x ^ W). Thus, as x holds 
at the first moment in time and the transformation implies that [x W) holds at 
every moment in time, then W also holds now. □ 

Next we show that for any satisfiable formula its translation is also satisfiable, 
i.e. for any PLTL formula W, if W is satisfiable then to[VI^] is satisfiable. This 
is established by showing that given a model for a formula at some stage in the 
transformation process for each step carried out in the transformation we can find 
a model for the transformed formula. 

Definition 1 [Pre-PLTL-clause form] A PLTL formula is said to be in pre-PLTL- 
clause from if and only if it has the structure 

[x^ =^ W,) 

where Xi is a proposition symbol ( or start ) and Wi is a PLTL formula. 



Lemma 3 Let a be a model such that 



A U{x ^ W) 



where each Rh is in pre-PLTL-clause form (i.e. an implication where the proposition 
symbol on the left hand side of each implication may be different). Then, there exists 
a model a' such that 



f\ URh 



L h 



f\ uSjAf\ un 



where Rh is in pre-PLTL-clause form, Sj is in pre-PLTL-clause form and T^ is in 
PLTL- clause form resulting from one step of the Ti transformation, i.e. 



Tiinix^w)] 



a/\ DTk 

k 
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Proof 

We examine the structure of W. There are three main types of transformation 
that can be apphed: the removal of classical operators, the renaming of complex 
subformulae and the rewriting of temporal operators applied to literals. We begin 
by considering the removal of classical operators. 
First, assume 11^ is a conjunction AaB, i.e. 



L h 



hn{x^ {AAB)). 



Applying the ri translation wc have 

Ti[n{x^{AhB))\^Ti[U{x^A)]hTi[n{x^B)] 
and so we must show there is a model a' such that 



(^',o)N 



. h 



A □(x =^ A) A U{x^ B). 



Now, as (cr, 0) h □ (x ^ A B)) for all i e N, then if (a, i) \= x both (ct, i) \= A 
and (cr, i) \= B. That is 



A □•^A 



A U{x^ A)h U{x^ B). 



So, by setting cr' equal to a we have such a model. The proofs are similar for the 
other classical logic operators. 

Next, we consider renaming transformations and assume W is of the form \Z\A 
where A is not a literal. Now, assume that there exists a cr such that 



A 

. h 



A □(x^ OA). 



By applying the ti transformation we have 

Ti[n(a;^ OA)] ^Ti[n(x^ Dy)] Ari[n(y=> A)] 

where y is a new proposition symbol. Thus, we must show that there exists a model 
a' such that 



(^',0)h 



A ORh 



A n{x^ □y)A □(y^A). 



First assume that x is never satisfied in a. A model a' identical to cr except it 
contains the variable y such that y is false everywhere will suffice. Otherwise let j 
be the first place that x is satisfied in cr. As (cr, 0) |= □ {x => \Z\A) for all i > j then 
(cr, i) \= A. Let cr' be the same as a except it contains a new proposition symbol y 
that is satisfied in all i > j and unsatisfied elsewhere i.e. < i < j. Thus, as cr' is 
identical to cr, except for y, we have (cr', i) \= A for all i > j and from the definition 
of a' we have for all i > j, (cr', i) \= y and, for all i < j, (cr', i) \= -ly. Thus, from 
the semantics of PLTL, (cr', 0) |= □ (y ^ A). Now, as {a', i) \=y for all i> j then 
(cr', j) \= Dy from the semantics of O. Also, as {<T',j) \= x and by assumption j is 
the first place x is satisfied in a and therefore cr', (cr', 0) |= □(x ^ Dy). Further 



{c7',o)^/\nRh 
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as 



from our choice of a'. Hence 



A n{x^ Dy) A □(y=> A) 



as desired. The proof of other renaming operations are similar. 

Finally wc consider the removal of unwanted temporal operators. Again, we let 
W he DA but this time assume that ^ is a literal. Assume that there exists a a 
such that 



A n{x DA). 



By applying the n transformation we obtain 

n[nix^ DA)] ^ Ti[n{x ^ A)]ATi[n{x ^ y)]An{y ^ OA)Aniy ^ Oy) 

where y is a new proposition symbol. Thus, we must show that there exists a model 
a' such that 



(^',o)N 



A ORh 



A □(x ^ A) A ^ y) A □(y ^ O^) A □(y ^ Oy). 



First assume that x is never satisfied in a. Similarly to the above, a model a' 
identical to a except containing the variable y such that y is false everywhere will 
suffice. Otherwise let j be the first place that x is satisfied in a. Let a' be the 
model that is identical to a except it contains the variable y such that for all i > j, 
{a', i) \= y and for all < i < j, {a', i) \= -ly. Thus, as a is the same as a' except 
for the valuation of y, and 

{o,Q)^l\nRh 

h 

then, we have 

{ct',q)^ l\nRh. 

h 

We have assumed that (cr, 0) [= D(a; ^ QA) so for all i > j, {(J,i) \= A hence for 
all i ^ ii i'^' li) 1= A. Thus, as |= x, where j is the first place that x holds 

and for all i > j, (a-\i) \= A wc have (cr',0) |= □(.x ^ A). Now as j is the first 
place that x holds and \= y for all i > j wc have (o'',0) |= n(.7; y) and 

{a', 0) 1= □(y Oy). Also, as z > j, {a, i) \= A then, due to our choice of a', for 
all i > j, {a',i) \= A and so (ct',0) ^ □(y QA). Hence 



A ORh 



as required. 



A n{x ^ A) A □(a; ^ y) A □(y ^ QA) A □(y Oy) 



□ 



Lemma 4 Given a model a, and a PLTL formula W , such that {a, 0) \= W , there 
exists a model u' such that {cr',0) \= to[W]. 

Proof 

Firstly note that if {a, 0) \=W then there is a model a" such that 



{a", 0) h (start ^ y) A □(y ^ W). 
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The model a" is identical to a except it includes the new proposition symbol y 
which is set to true where i = Q and false everywhere else. Applying tq to W ^ we 
obtain 

(start^y)ATi[n(y^H/)]. 

Now, from Lemma |[ and given that (start => y) A D(y =^ W) has a model 
a" every application of the ti transformation can be satisfied in some new model. 
Hence, if W has a model then there exists a model that satisfies To[iy]. □ 

Theorem 3 A PLTL formula A is satisfiable if, and only if to[A] is satisfiable. 

Proof 

Lemmas 1 and 2 above show that if tq [A] is satisfiable in a model, then A is satisfi- 
able in the same model. Lemmas 3 and 4 show that, given a model for A, then we 
can construct a model for tq [A] . □ 



3.4 Example 

We illustrate the translation to the normal form by carrying out a simple example 
transformation. Assume we want to show 

(Op A n{p^ Op))^<>np 

is valid. We negate, obtaining 

{Op A n{p^ Op)) A nO^p 

and begin to translate this into SNF. First, we anchor to the beginning of time and 
split the conjuncts. 

1. start f 

2. { ^ Op 

3. f nip ^ Op) 

4. f nO^p 

Formulae labelled 1 and 2 are now in normal form. We work on formula 3, renaming 
the subformula p Op. 

5. f ^ Dq 

6. q ^ (p ^ Op) 

Next, we apply the O removal rules to formula 5 (to give 7, 8, 9 and 10) and 
rewrite formula 6 (to give 11). 

7. f ^ q 

8. f ^ r 

9. r =4> Oq 

10. r ^ Or 

11. q ^ (-pVOp) 

Then, formulae 7 and 8 are rewritten into the normal form (giving 12-15) and the 
subformula Op in formula 11 is renamed. 



12. 


start = 


> -.f Vq 


13. 


true = 


> O(-fVq) 


14. 


start = 


> -.f Vr 


15. 


true = 


> O(-fVr) 


16. 


q = 


> {^p V s) 


17. 


s = 


> Op 
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Formula 16 is then rewritten into the correct form. 



18. start ^ (^q V -^p V s) 

19. true ^ O(^qV^pVs) 



Next, we work on formula 4 renaming (}^p with the new proposition symbol t. 



20. f ^ nt 

21. t ^ 



Then, we remove the □ operator from formula 20 as previously 

22. f => t 

23. f ^ u 

24. u Ot 

25. u ^ Ou 

and finally write formulae 22 and 23 into the normal form. 

26. start -.f V t 

27. true ^ O(-fVt) 

28. start -.f V u 

29. true ^ O(-fVu) 

The resulting normal form is as follows. 



1. 


start 




f 


18. 


start 


=> 


(-.q V ^p V 


2. 


f 






19. 


true 


=> 


0(-qV^p 


9. 


r 




Oq 


21. 


t 


=^ 




10. 


r 




Or 


24. 


u 




Ot 


12. 


start 




Vq 


25. 


u 




Ou 


13. 


true 




0(-f Vq) 


26. 


start 




vt 


14. 


start 




-.f Vr 


27. 


true 




0(-f vt) 


15. 


true 




0(-f Vr) 


28. 


start 




V u 


17. 


s 




Op 


29. 


true 




OK vu) 



4 Resolution Rules 

Once a formula has been transformed into SNF, both step resolution and temporal 
resolution operations can be applied. Step resolution effectively consists of the appli- 
cation of the standard classical resolution rule to formulae representing constraints 
at a particular moment in time, together with simplification rules, subsumption 
rules, and rules for transferring contradictions within states to constraints on pre- 
vious states. Temporal resolution resolves a sometime PLTL-clause whose right 
hand side is, for example, <0>/ with a set of SNF^ PLTL-clauses that together imply 
that I is always false. We also describe augmentation, the addition of new variables 
required to translate the resolvent from temporal resolution into SNF at the start 
of the proof. This is useful in ensuring that no new proposition symbols need to be 
added during the proof. 

4.1 Step Resolution 

Pairs of initial or step PLTL-clauses may be resolved using the following (resolution) 
operations (where A and B are disjunctions of literals, C and D are conjunctions 
of literals and p is a proposition). 



start ^ Ay p 
start ^ BV 



C ^ 0{Ayp) 
D =» Q(EV-.p) 



start ^ Ay B 



{CAD) ^ 0{AyB) 
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The following is used for PLTL-clauses which imply false (where A is a conjunction 
of literals). 

r A 1 1 f start -'A 1 

{A^Ofalse} ^ I ^^^^ ^ I 

Thus, if, by satisfying A, a contradiction is produced in the next moment, then A 
must never be satisfied. The new constraints generated effectively represent □ ^A. 
This rewrite keeps formulae in the suggested normal form and may, in turn, allow 
further step resolution inferences to be carried out. 

PLTL-clauses are kept in their simplest form by performing classical style sim- 
plification, for example performing the following contraction operations. 



{I A AM) 




OB 


{I A A) 




OB 


{I AAA -.Z) 




OB 


— > false 




OB 


{A A true) 


=> 


OB 


— > A 




OB 


{A A false) 




OB 


— > false 




OB 


A 




0(ZVBV/) 


— > A 




0(/VB) 


A 


=> 


OilVBV^l) 


— > A 




Otrue 


A 




0(-B V true) 


— > A 




Otrue 


A 




{B V false) 


— > A 




OB 



The following SNF PLTL-clauses can be removed during simplification as they 
represent valid subformulae and therefore cannot contribute to the generation of a 
contradiction. 

false ^ 0-4 
A ^ Otrue 

The first PLTL-clause is valid as false can never be satisfied, and the second is 
valid as Otrue is always satisfied. 

Subsumption also forms part of the step resolution process. Here, as in classical 
resolution, a PLTL-clause may be removed from the PLTL-clause-set if it is sub- 
sumed by another PLTL-clause already present. Subsumption may be expressed as 
the following operation. 

[nZi] {D^B} 

The side conditions \- C D and \- B => A must hold before this subsumption step 
can be applied and, in this case, the PLTL-clause C => A can be deleted without 
losing information. 

The step resolution process terminates when either no new resolvents can be 
generated or a contradiction is derived by generating the following unsatisfiable 
formula 

start => false. 
4.2 Temporal Resolution 

The temporal resolution operation effectively resolves together formulae containing 
the ' □' and '<)>' connectives. However, the inductive interaction between the 'O' 
and 'O' connectives in PLTL ensures that the application of such an operation is 
non-trivial. Further, as the translation to SNF restricts the PLTL-clauses to be of 
a certain form, the application of such an operation will be between a sometime 
PLTL-clause and a set of step PLTL-clauses that together ensure a complementary 
literal will always hold. Intuitively, temporal resolution may be applied between an 
eventuality, i.e. a formula {}l from the right-hand side of a sometime PLTL-clause 
such as C <0>Z, and a formula which forces I always to be false. Once the left-hand 
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side of the sometime PLTL-clause (i.e., C) is satisfied then, for the formula to be 
satisfiable, there must be no other PLTL-clauses forcing I to always be false. To 
resolve with C ^ (}l then, a set of SNF,„ PLTL-clauses (see §^ must be identified 
such that they characterise A ^ O (where A is in DNF)0. So, the general 

temporal resolution operation, written as an inference rule, becomes 



A 
C 



o n^i 
Oi 



c 



{^A)Wl 



The intuition behind the resolvent is that, once C has occurred then A must not 
be satisfied until I has occurred (i.e. the eventuality has been satisfied). (Note 
that the generation of C =^ (~'^) U I as a resolvent would be sound. However as 
(-lA) U I = {{^A) W 1)a(}1 the resolvent would be equivalent to the pair of resolvents 
C i^A^) W / and C <C>^. The latter is subsumed by the sometime PLTL-clause 
we have resolved with. So this leaves only the ' W" formula.) The res olvent must 
next be translated into SNF. In previous presentations, for example, [ Fis9l| , two 
resolvents have been given. As the resolvent given here is sufficient for completeness 
we omit the second. 

In SNF we have no PLTL-clauses of the form A ^ O So the full temporal 
resolution operation applies between a sometime PLTL-clause and a set of SNF™ 
PLTL-clauses that together imply A O O^l- The temporal resolution operation, 
in detail, is 

Aq ^ OBo 



A„ 



C 



OB,, 

Oi 



c 



.i=0 



Wl 



with the side conditions that, for all i < i < n, 



B^ 
B, 



-il; and 

n 
3=0 



Here, the side conditions are simply propositional formulae so they must hold in 
(classical) propositional logic. The first side condition ensures that by satisfying 
any Bi then -1/ will be satisfied. The second shows that once some Bi is satisfied 
then one of the left hand sides (Aj) will also be satisfied. Hence, if any Ai is satisfied 
then, in the next moment, Bi is satisfied as is as is Aj for some j and so on, so 
that 

(V^O ^ o n^i. 

i 

The set of SNF^ PLTL-clauses Ai ^ OBi that satisfy these side conditions are 
together known as a loop in -il. The disjunction of the left hand side of this set of 
SNF„ PLTL-clauses, i.e. 



is known as a loop formula for -iL The most complex part of this approach is the 
search for the set of SNF^ PLTL-clauses to use in the application of the temporal 



^ The O operator occurs because it is O \3^l rather than □ -^l that is actually generated from 
a set of merged SNF step clauses. 
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resolution operation. Detailed explanation of the techniques developed for this 



search is beyond the scope of this paper but is discussed at length in [DFJ95 



Dix96, Dix98| 



The resolvent must be translated into SNF before any further resolution steps. 
A translation to the normal form is given below that avoids the renaming of the 
subformula 



i=0 

where t is a new proposition symbol and i = 0, . . . ,n. Thus, for each of the PLTL- 
clauses (|l|), (|) and (|) there are n + 1 copies, one for each Ai. (N.B., we will see 
in § |6.3| that this is important for completeness.) 

start -^CVlW ^Ai (1) 

true ^ 0(-'CV? V-iA,) (2) 

start => -.CV^Vi (3) 

true ^ O(-CVZVt) (4) 

t OilV^A,) (5) 

t ^ o(;vt) (6) 

We note that only the resolvents (|l|), (Q) and (||) depend on the particular loop 
being resolved with, i.e. contain a reference to Ai. 



4.3 Augmentation 

The introduction of new variables, such as t above, makes proofs about the tem- 
poral resolution method more difficult. Furthermore, if a temporal resolution proof 
involves two temporal resolution inferences involving the same literal, we may intro- 
duce two new variables where one would suffice. Thus, for n different eventualities 
we only require n new proposition symbols. We introduce these new proposition 
symbols at the start of the proof by adding the resolvents that do not contain -^At , 
that is, have no reference to the loop detected (i.e. the PLTL-clauses above labelled 
H ^ and ^ at the beginning and the rest of the PLTL-clauses, if required, as the 
proof proceeds. The following definitions formalise this technique. Given an even- 
tuality <0'/, the new proposition symbol introduced is wi (rather than t above) which 
can be thought of as waiting for I. Hence having translated to SNF and augmented, 
we can be sure that no new proposition symbols appear during the application of 
the resolution rules. 

Definition 2 [Augmented PLTL- Clause Sets] Given a set, S, of SNF PLTL-clauses, 
we construct an augmented set of PLTL-clauses Aug{S) as follows. For each literal 
I which occurs as an eventuality in S we introduce a new proposition symbol, wi , and 
record the correspondence between I and wi. The variable wi will be used to record 
the condition that we are waiting for I to occur. The first defining PLTL-clause for 
wi is 

wi^OilVwi). (7) 
Then, for each PLTL-clause C <0'/, we add both 

start ^ ^C^lVwi (8) 
true ^ Oi^CVlVwi). (9) 
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Definition 3 The loop resolvents for a sometime PLTL-clause C ^ (}l and a loop 
formula \J ■ Ai are 



start ^ ^CWlW ^A^ 
true ^ 0(^Cv;v^^i) 
Wl 0{l\/^A,) 



(10) 

(11) 
(12) 



for each i. 



Note, the loop resolvents for a particular sometime clause and loop formula are the 
only clauses added to the clause-set by applying the temporal resolution rule. 

4.4 An Algorithm for the Temporal Resolution Method 

Given any temporal formula, A, to be tested for unsatisfiability, the following steps 
are performed. 

1. Translate A into SNF, giving As. 

2. Augment As, giving Aug (As). 

3. Perform step resolution (including simplification and subsumption) on Aug (As) 
until either 

(a) start => false is derived — terminate noting that A is unsatisfiable; or 

(b) no new resolvents are generated — continue to step (4). 

4. Select an eventuality from the right-hand side of a sometime PLTL-clause 
within Aug {As), for example {}l. Search for loop- formulae for -iL 

5. Construct loop resolvents for the loop-formulae detected and each sometime 
PLTL-clause with on the right-hand side. If any new formulae (i.e. that 
are not subsumed by PLTL-clauses already present) have been generated, go 
to step (3). 

6. If all eventualities have been resolved, terminate declaring A satisfiable, oth- 
erwise go to step (4). 

We will consider the soundness, completeness and termination of this method in 

5 Examples 

We illustrate the method by presenting a selection of examples. 
5.1 Step Resolution Example 

We prove an instance of one of the PLTL axioms that requires only step resolution. 



namely 



h 0{a^b) {Oa^ Ob). 



We negate 



0(a^6)A(OaAO-6) 



and rewrite into SNF as follows. 
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1. start ^ f 

2. f Ox 

3. start V V &) 

4. true ^ 0(-'a;V^aV&) 

5. f ^ Oa 

6. / =^ 0-6 

There are no sometime PLTL-clauses so augmentation adds no new PLTL-clauses. 
Resolution can be carried out as follows. 



7. 


./ = 




[4, 6 Step Resolution] 


8. 


./ = 




[5, 7 Step Resolution] 


9. 


./ = 


> O false 


[2, 8 Step Resolution] 


10. 


start = 




[9 Rewriting] 


11. 


true = 


> o-/ 


[9 Rewriting] 


12. 


start = 


> false 


[1, 10 (Initial) Step Resolution 



A contradiction has been obtained meaning the negated formula is unsatisfiable and 
therefore the original formula is valid. 

5.2 Temporal Resolution Example (Prom a Set of Clauses) 

Assume we wish to show that the following set of PLTL-clauses (already translated 
into SNF) is unsatisfiable. 



1. 


start = 


> f 


2. 


start = 


> a 


3. 


start = 


> P 


4. 


/ = 


> O^p 


5. 


/ = 


> Oa 


6. 


a = 


> 0{b\/x) 


7. 


b = 


> Oa 


8. 


b = 


> Op 


9. 


a - 


> Op 


10. 


a = 


> O^x 



As the set of PLTL-clauses contains a sometime PLTL-clause (no. 4) we augment 
with the following PLTL-clauses. 

11. start -i/ V V [4 Augmentation] 

12. true => ©(-i/ V V ui^p) [4 Augmentation] 

13. w^p Oi^p^w^p) [4 Augmentation] 

Step resolution occurs as follows. 

14. a ^ Ob [6, 10 Step Resolution] 

Note other step resolution inferences may be performed, for example between 1 and 
11 but we omit them as they play no part in the proof. By merging PLTL-clauses 9 



and 14, and 7 and 8 into SNF,„ using the merged-SNF rule given in §3.1 we obtain 
the following loop in p (in SNF™) 

a 0{b/\p) [9,14SNF,„] 

b ^ O(aAp) [7,8SNF„,] 

for resolution with PLTL-clause 4. The resolvents after temporal resolution are 
PLTL-clauses 15-20 below 



20 



15. 


start = 




[4,7,i 


B, 9, 14 Temporal Resolution 


16. 


true = 


> 0(-'/ V V ^a) 


[4,7,i 


B, 9, 14 Temporal Resolution 


17. 


start = 




[4,7,i 


B, 9, 14 Temporal Resolution 


18. 


true = 


> 0(-'/V^pV^6) 


[4,7,i 


B, 9, 14 Temporal Resolution 


19. 


W^p = 




[4,7,i 


B, 9, 14 Temporal Resolution 


20. 




> Oi^py^b) 


[4,7,i 


B, 9, 14 Temporal Resolution 



and the prool concludes as follows. 

21. start -i/ V [3, 15 (Initial) Step Resolution] 

22. start ^ ^.f [2,21 (Initial) Step Resolution] 

23. start => false [1, 22 (Initial) Step Resolution] 

A contradiction has been obtained hence the set of PLTL-clauses is unsatisfiable. 



5.3 Temporal Resolution Example (Prom a Formula) 

Next we show that Da A (}^a is unsatisfiable. First we translate to the normal 
form. 



1. 


start 




2. 


X 




3. 


start 


=^ -ix V a 


4. 


true 


O(-'xVa) 


5. 


start 


-ix V y 


6. 


true 


^ O(-xVy) 


7. 


y 


Oy 


8. 


y 


Oa 



As the set of PLTL-clauses contains a sometime PLTL-clause (no. 2) we augment 
with the following PLTL-clauses. 

9. start => -ix V V w^a [2 Augmentation] 

10. true => 0{^x y ^ay w^a) [2 Augmentation] 

11. w^a => 0{^ayw-,a) [2 Augmentation] 

We can find a loop for resolution with PLTL-clause 2 by merging 7 and 8 to give 

y ^ O(yAa). 

One of the resolvents obtained is PLTL-clause 12 from which we can derive a con- 
tradiction. 

12. start => -IX V V -ly [2, 7, 8 Temporal Resolution] 

13. start => -IX V [5, 12 (Initial) Step Resolution] 

14. start => -ix [3, 13 (Initial) Step Resolution] 

15. start false [1, 14 (Initial) Step Resolution] 

5.4 A Larger Example 

Here we conclude the example introduced in § |3.4| . Recall we are trying to show that 

(Op A n{p^ Op))^0np 



is valid. We negated and translated the formula into SNF in § B.4 . The PLTL-clauses 
in normal form are repeated here although they have been renumbered sequentially. 
We only show the steps relevant to the refutation. 
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1. 


start 




/ 


10. 


start 


=^ 


(-1(7 V -ip V s) 


2. 


/ 




Op 


11. 


true 


=> 


O(^gV-pVs) 


3. 


r 




Og 


12. 


t 


=^> 




4. 


r 




Or 


13. 


u 




Ot 


5. 


start 






14. 


u 




Ow 


6. 


true 






15. 


start 




^/ vt 


7. 


start 




-/Vr 


16. 


true 




0(-/vi) 


8. 


true 




-,/ Vr 


17. 


start 




Vu 


9. 


s 




Op 


18. 


true 




0(-/vu) 



Next we augment the set of PLTL-clauses to account for the two sometime PLTL- 
clauses 2 and 12. 



19. 


start 






[2 Augmentation] 


20. 


true 


=> 


0(-/vwp vp) 


[2 Augmentation] 


21. 


Wp 




OK vp) 


[2 Augmentation] 


22. 


start 




(-it V V -^p) 


[12 Augmentation] 


23. 


true 






[12 Augmentation] 


24. 






O {w-.p V -^p) 


[12 Augmentation] 



Step resolution then begins. 



25. 
26. 



(s A r) 



O(-pVs) 
Os 



[3, 11 Step Resolution] 
[9, 25 Step Resolution] 



By merging PLTL-clauses 4, 9 and 26 into SNF^ we obtain the loop 

(s A r) ^ 0(s A r Ap) 

for resolution with PLTL-clause 12. This generates additional PLTL-clauses (from 
the resolvent) as follows. 



27. start (-.t V -.s V -.r V ^p) 

28. true ^ 0{^t V V V ^p) 

29. w^p ^ 0(^.sV^rV^p) 

Thus the refutation continues as follows. 



[4, 9, 26, 12 Temporal Resolution] 

[4, 9, 26, 12 Temporal Resolution] 
[4, 9, 26, 12 Temporal Resolution] 



30. true 

31. r 

32. r 

33. (rAu) 



0(-'iV-.r V^pV-.g) 

Ol^tv^p) 
O-p 



[11,28 Step Resolution] 
[4, 30 Step Resolution] 

[3. 31 Step Resolution] 
[13, 32 Step Resolution] 



Now by merging PLTL-clauses 4, 14 and 33 

(r A w) ^ O (r A u A -ip) 

we have a loop for resolution with PLTL-clause 2, which generates several resolvents, 
including PLTL-clause 34. 



34. 


start 




(-/V 


-•r V -iw V p) 


[2, 4, 14, 33 Temporal Resolution] 


35. 


start 




(-/V 


-•r V V -1(7 V s) 


[10, 34 (Initial) Step Resolution] 


36. 


start 




(-./V 


V V -1(7 V V -ip) 


[27, 35 (Initial) Step Resolution] 


37. 


start 




(-/V 


V V -ig V -it) 


[34, 36 (Initial) Step Resolution] 


38. 


start 




(-/V 


V V -li) 


[17, 37 (Initial) Step Resolution] 


39. 


start 




(-./V 


V -iq) 


[15, 38 (Initial) Step Resolution] 


40. 


start 




(-/V 




[7, 39 (Initial) Step Resolution] 


41. 


start 




-/ 




[5, 40 (Initial) Step Resolution] 


42. 


start 




false 




[1,41 (Initial) Step Resolution] 
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6 Correctness 



First we show that augmentation is satisfiabiUty preserving. Next, a soundness 
resuh is obtained by showing that an appUcation of the step or temporal resolu- 
tion rule preserves satisfiability. Finally completeness is proved by considering the 
construction of a graph representing all possible models of the augmented set of 
PLTL-clauses. Here, deletions of parts of the graph that cannot be used to con- 
struct models are associated with step and resolution rules. 

6.1 Augmented PLTL-Clause Sets 

We will show that an augmented PLTL-clause set has a model if, and only if, its 
underlying (non-augmented) PLTL-clause set has a model. 

Definition 4 Given a set, S , of SNF PLTL-clauses, a normal model for the aug- 
mented PLTL-clause set for S is a model which satisfies the formula 

niwi^i^lAOl)) (13) 

for each literal / which occurs as an eventuality (i.e. inside the scope of a <^ operator) 
in S. 

Definition 5 An augmented PLTL-clause set is said to be well-behaved if it is 
either unsatisfiable or has a normal model. 

Lemma 5 (Augmentation) If S is a set of SNF PLTL-clauses then 
L Aug{S) is well-behaved, and, 

2. Aug{S) has a model if and only if S has a model. 
Proof 

If Aug{S) has a model then, ignoring the value of each wi at each moment gives a 
model for S. Conversely, if S has a model M, then M can be extended to a model 
M' for Aug{S) by giving wi the same truth value as -iZ A {}l in M in each state, 
and for each literal I. The model M' clearly satisfies the formulae (^, (^) and (^ 
from § [4.3| and (|l^) above. The lemma follows easily from these two observations. 
□ 

6.2 Soundness 

6.2.1 Step Resolution Rules 

It is easy to see that given a satisfiable set of PLTL-clauses the application of the 
initial or step resolution inferences, or simplification preserves satisfiability. 

6.2.2 Temporal Resolution Rule 

The following lemma is a soundness result for the temporal resolution rule (applied 
to augmented PLTL-clause sets). 

Lemma 6 (Soundness) Let S be a well-behaved augmented PLTL-clause set. Let 
the PLTL-clause set T be obtained from S by application of the temporal resolution 
operation. Then 

1. T is well-behaved, and. 
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2. if S is satisfiable then T is satisfiable. 



Proof 

If S is satisfiable tlien S has a model, and by Lemma |5| it has a normal model M. 
The side conditions for temporal resolution guarantee that the loop resolvents i.e. 
formulae @, and (|l|) given in §[0| hold in M, and so M is a (normal) model 



for T, i.e. T is satisfiable. If S is unsatisfiable then the addition of PLTL-clauses to 
produce T is also unsatisfiable. Hence T is well-behaved. □ 

6.3 Completeness 

We will now prove the completeness of the temporal resolution procedure by in- 
duction on the size of a behaviour graph of a set of SNF PLTL-clauses. Note, as 
we have added all the new variables required for the translation of the unless op- 



erator by augmentation in §3.1 and avoided renaming the conjunction that occurs 



from negating the loop-formula (a disjunction) as mentioned in §L2 we require no 
new proposition symbols during the proof. Thus the graph constructed has all the 
propositional symbols we require and will not increase in size during the proof. 

Definition 6 [Behaviour Graph] Given a set S of SNF PLTL-clauses, we construct 
a finite directed graph G as follows. The nodes of G are all ordered pairs (V, E) 
where V is a valuation of the proposition symbols occurring in S and E is a subset 
of the literals occurring as eventualities in S i. e. literals occurring on the right-hand 
side of the sometime PLTL-clauses in S . Thus V contains either p or -ip for each 
proposition symbol p in S. For each node {V,E), let R be the set of step PLTL- 
clauses of S which are "fired" by V — that is, the set of step PLTL-clauses whose 
left-hand sides are satisfied by V. Let L be the set of clauses on the right-hand 
sides of the PLTL-clauses in R, i.e. L contains formulae that are the disjunction 
of literals from the right-hand side of each PLTL- clause in R having first removed 
the next operator. Let E' be the set of elements of E which are not satisfied by 
V . For each valuation V' which satisfies L, let E" be the set of literals occurring 
on the right-hand sides of the sometime PLTL-clauses fired by V' . Then for each 
V' construct an edge in G from (V, E) to {V',E' U E"). These are the only edges 
originating from (V,E). Let Lq be the set of initial PLTL-clauses of S. For each 
valuation V which satisfies Lq, where E' is the set of literals occurring on the right- 
hand sides of the sometime PLTL-clauses fired by V , the node (V, E') is designated 
as an initial node of G. The behaviour graph of S is the full subgraph of G given 
by the set of nodes reachable from the initial nodes. We regard the identification of 
the initial nodes as part of the structure of the behaviour graph. 



Lemma 7 Let S be a set of SNF PLTL-clauses and let T be the set of SNF PLTL- 
clauses obtained from S by adding finitely many initial PLTL-clauses and finitely 
many step PLTL-clauses which only involve proposition symbols occurring in S. 
Then the behaviour graph of T is a subgraph of the behaviour graph of S . 

Proof 

This is established by induction on the length of the shortest path from an initial 
node to an arbitrary node in the behaviour graph of T. Let len be the length of the 
shortest path from an initial node to a node n. To show the base case we let len = 
and show that any initial node in the behaviour graph of T is an initial node in the 
behaviour graph of S. Let L Q S he the initial PLTL-clauses of S and L' C T the 
initial PLTL-clauses of T. As T has been constructed by adding initial and/or step 
PLTL-clauses to S*, J C /'. Take any initial node no = {Vo,Eo) in the behaviour 
graph for T. From the definition of the behaviour graph Vq must satisfy the right 
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hand side of the PLTL-clauses in /'. As / C /' then Vq must also satisfy the right 
hand side of the PLTL-clauses in /. As the set of sometime PLTL-clauses in S 
and T are unchanged, i.e. as Vq satisfies the left hand side of the same sometime 
PLTL-clauses in S and T the set Eq will be the same in each graph for Vq and thus 
the node uq = (Vq, Eq) is also in the behaviour graph for S. 

Next we assume that if any node n, where the length of the shortest path from 
an initial node to n is m, is in the behaviour graph for T, it is also in the behaviour 
graph for S. We show that any node n' in the behaviour graph for T whose shortest 
path length from an initial node is m -f 1, is also in the behaviour graph for S. Let 
J C S* be the step PLTL-clauses in S and J' C T the step PLTL-clauses in T. By 
assumption we have J C J'. Consider some node n' — (V'^E') in the behaviour 
graph of T where the shortest path from an initial node to n' is m+l. Let n = (V, E) 
be any node in the behaviour graph for T such that there is an edge from n to n' 
and the shortest path from an initial node to n is of length m. By the induction 
hypothesis, we assume that n is also in the behaviour graph for S. 

Let X' C J' be the set of step PLTL-clauses in T such that the left hand sides are 
satisfied by V and the right hand side satisfy V . Let X C J be the corresponding 
set of step PLTL-clauses in S i.e. where the left hand sides are satisfied by V and the 
right hand side satisfy V . As J C J' we have X C X'. Furthermore as no change 
has been made to the set of sometime PLTL-clauses any eventualities outstanding 
from n or triggered by n' will be the same in each graph. Thus n' is also present in 
the behaviour graph for S. □ 

Lemma 8 Any model for a set of SNF-PLTL-clauses, S , can be constructed from 
a path through the behaviour graph for S . 

Proof 

To construct a model from a suitable path, iVo, A^i, iV2, . . . where each Ni = {Vi, Ei), 
through the behaviour graph (i.e. one which is infinite and all eventualities are 
satisfied) take the valuation Vi from each node Ni in the path (and delete any 
negated proposition symbols) . Any proposition symbols that do not occur in S but 
are required in the model may be set arbitrarily. Details of how to construct models 
from behaviour graphs are given in Lemma [Tl| . 

Take any model a = sq, si, . . . for S. We show that this model can be constructed 
from a path through the behaviour graph. First delete any proposition symbols not 
in S from a to give a' — s'^, s'l, . . .. As these proposition symbols do not occur in S 
they have no constraints on them so by setting these proposition symbols to true 
and false in the correct way we can recover a. Note that a' is a model for 5'. By 
definition the behaviour graph for S is the reachable subgraph from the set of initial 
nodes. The behaviour graph has been constructed where the V component of each 
node consists of every possible valuation. Let pos(Fi) be the set of non-negated 
proposition symbols in Vi. As a' is a model for S, s'q must satisfy the initial rules 
/ C 5. To construct the behaviour graph for S the initial nodes are those with 
valuations that satisfy /, for a particular E component. As nodes are constructed 
with each valuation and subset of eventualities there must be a node iVo — (Vq, Eq) 
where pos(Vb) — s'q. 

Next for some in a' assume that there is a node Ni = (Vi, Ei) in the behaviour 
graph for S such that pos{Vi) — s-. We show that pos(s-^;^) ~ Vi+i for some node 
iVi+i — (Vi+i, Ei+i) in the behaviour graph for S. Let i? C S* be the set of step 
PLTL-clauses in S. Take the set of step PLTL-clauses R' <Z R such that the left 
hand side of the PLTL-clauses in R' is satisfied by Vi. As pos(yi) — s^, s[ must 
satisfy the left hand side of the PLTL-clauses in R' . As a' is a model for S, s^^j^ 
must satisfy the right hand side of each PLTL-clauses in R' having deleted the next 
operator. From the construction of the behaviour graph, edges are drawn from Ni 
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to nodes whose valuation satisfies the right hand side of each PLTL-clauses in R' 
having deleted the next operator (for some E component). As nodes have been 
constructed for all valuation/eventuality component combinations there will be one 
Ni+i = {Vi+i,Ei+i) such that pos{Vi+i) = s^+j. 

Hence we can construct a' using the valuations from each node and following a 
path through the behaviour graph for S. This can be extended to a by setting the 
additional proposition symbols as required. □ 

Lemma 9 Let S be a set of PLTL-clauses and T be the set of clauses obtained from 
S hy applying one simplification or subsumption step. The behaviour graph for S is 
the same as the behaviour graph for T. 

Proof 

First assume wo have performed a simplification step. We show that any node 
and edge that is in the behaviour graph for 5* is also in the behaviour graph for T. 
The proof of the converse is similar. The proof is by induction on the length of the 
shortest path from an initial node. For the base case the length of the path from 
an initial node to n is 0, i.e. n is an initial node. If the simplification stop has not 
been performed on an initial PLTL-clause i.e. the set of initial PLTL-clauses in S 
and in T arc the same then n must also be in the behaviour graph for T. Otherwise 
we have performed a simplification step on an initial PLTL-clause i.e S contains 
start Y and T contains start Y' where Y = Y'. Each initial node n in the 
behaviour graph for S satisfies Y by definition of the behaviour graph. As Y = Y' 
node n also satisfies Y' so n is in the behaviour graph for T. 

Next assume the node n in the behaviour graph for S, whose shortest path 
distance from an initial node is m, is also in the behaviour graph for T. We show 
that any node of shortest path length m + 1 from an initial node is also in the 
behaviour graph for T. Take a node n" in the behaviour graph for 5* whose shortest 
path length from an initial node is m + 1. Consider n' such that (n', n") is an edge 
in the behaviour graph from S where the shortest path length from n' to an initial 
node is m. From the induction hypothesis n' is also in also in the behaviour graph 
for T. Assume that a simplification step has been applied to rule X QY £ S 
to obtain X' ^ OY' E T and that n' satisfies X. Thus from the definition of the 
behaviour graph n" must satisfy Y. As we have performed a simplification step 
X = X' and Y = Y' so n' also satisfies X' and n" satisfies Y' as the sets S and 
T are unchanged apart from this. Hence n" and the edge {n',n") must also be in 
T. If the node n' didn't satisfy X, or the simplification rule had been on an initial 
PLTL-clause then n" would again be in the behaviour graph for T as the remaining 
rules are unchanged. The proof of the converse is similar. 

To show the proof holds for a subsumption step assume S contain rules X ^ QY 
and X' => O^' where X X' and Y' => Y. Thus by a subsumption step 
T = S\{X ^ OY}. The proof is similar to the above. □ 
We now introduce the concept of a reduced behaviour graph, which will be used later 
in the completeness proof. 

Definition 7 [Reduced Behaviour Graph] Given a behaviour graph we apply the 
following rules repeatedly until no more deletions are possible. 

• If a node has no successors, delete that node (and all edges to the node). 

• If a node n = {V, E) contains an eventuality I (i.e. I & E) and I is not satisfied 
in n, i.e. I ^ V, and there is no path from n to a node whose valuation satisfies 
I, then delete n. 

The resulting graph is called the reduced behaviour graph for S. 
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This terminology implies that the reduced graph does not depend on the order of 
deletions. The proof of this fact is straightforward, but is not necessary for the 
completeness proof — we only need to know that a reduced graph (one from which 
no further deletions are permitted) exists. 

Lemma 10 During the construction of a reduced behaviour graph any node reach- 
able from a deleted node is also deleted. 

Proof 

There are two conditions for the deletions of nodes to form a reduced behaviour 
graph. Firstly nodes with no successors are deleted. No nodes are reachable from a 
node with no successors hence the lemma follows. Secondly nodes n = (V, E) that 
are deleted where I is an outstanding eventuality, i.e. I G E but no reachable node 
satisfies I, i.e. e V. From the construction of the behaviour graph and from the 
conditions allowing us to delete n, any node n' — {V',E') reachable from n must 
contain I as an outstanding eventuality, i.e. I £ E and but doesn't satisfy I. Thus 
any node reachable from n must also be deleted. □ 

Lemma 11 A set of SNF PLTL-clauses is unsatisfiable if, and only if, its reduced 
behaviour graph is empty. 

Proof 

Let S' be a set of SNF PLTL-clauses. An infinite path through the (unreduced) 
behaviour graph for S, starting at an initial node gives a sequence of valuations for 
the propositional symbols — i.e., a PLTL model. By construction of the graph, this 
model satisfies the initial and step PLTL-clauses of S. Furthermore, by Lemma || 
any such model must arise from a path through the behaviour graph. However, 
not all paths give models for the full set of PLTL-clauses S, since either the paths 
may not be infinite or they may fail to satisfy some eventualities (which occur 
within sometime PLTL-clauses). If a node, n, has no successors, then there are 
no infinite paths through that node, so any model for S must arise from a path 
through the graph with n deleted. Thus the first deletion criterion can be applied 
without removing any potential models. Also, if a node n contains an eventuality 
I then any path through that node which is to yield a model for S must satisfy I 
either at n or somewhere later in the path. Thus, if a node contains an eventuality 
that cannot be satisfied then this node cannot be part of a model for the set of 
PLTL-clauses, hence, we can apply the second deletion criterion without discarding 
potential models for S. The "if" part of the proposition follows. 

To prove the "only if" part, suppose the reduced behaviour graph for S, call it 
G, is non-empty. We will now use G to construct a model for S. First note that the 
set of initial nodes in G is non-empty, since, in the behaviour graph, every node is 
reachable from the initial nodes and any node reachable from a deleted node is also 
deleted (by Lemma [To|). Now, choose an initial node no = {Vo,Eo). If Eq is non- 
empty, choose an ordering ei, . . . , efe for the literals in Eq- Since uq has not been 
deleted, there is a path in G to a node mo,i in which the eventuality ei is satisfied. 
If the eventuality 62 is not present in mo.i it must have been satisfied somewhere 
along the path. Otherwise, we can extend the path to a node mo. 2 which satisfies 
62 . Continuing in this way we can find a path Pi (which may consist simply of the 
node no if all of Eq are satisfied there) such that each element of Eq is satisfied at 
some point along Pi. Let ni be a successor of the end point of Pi (it must have 
a successor since we have deleted all terminal nodes). Repeating our construction, 
we can find a path P2 beginning at ni along which all the eventualities in ni are 
satisfied. Let n2 be a successor of the end point of P2. Repeat this construction 
until Hi — Uj for some i > j, which must happen eventually since G is finite. Let 
Q be the path P^+i ■ ■ . Pj- Then the path P = P1P2 ■ . ■ PiQQ ■ . . has the property 
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that, for each node in the path, each eventuaUty in that node is satisfied at some 
node later in the path. To see this, recall that if a node contains an eventuality e 
but does not satisfy e, then e is in the eventuality set of all immediate successors 
of I. So, either e is satisfied before we reach the next n,. or e is an eventuality in 
and so is satisfied along P,.. Furthermore P is obviously an infinite path. It follows 
by the construction of the behaviour graph that the sequence of valuations given 
by P is a model for S. □ 
We are now ready to prove the completeness theorem for propositional clausal tem- 
poral resolution. 

Theorem 4 (Completeness) // a well-behaved augmented PLTL-clause set, S, 
is unsatisfiahle then the temporal resolution procedure will derive a refutation when 
applied to S . 

Proof 

The proof proceeds by induction on the number of nodes in the behaviour graph 
of 5. 

First we consider the effect of simplification and subsumption rules on the be- 
haviour graph for a set of PLTL-clauses. Given a set of PLTL-clauses S let the 
application of simplification and subsumption rules to S result in the set of PLTL- 
clauses S". By Lemma || the behaviour graph of S is identical to that of S' . 

If the behaviour graph is empty, then the set of initial PLTL-clauses in S is 
unsatisfiahle. By the completeness of classical resolution, we can use step resolution 
on the set of initial PLTL-clauses to derive the empty clause. 

Now suppose the behaviour graph G is non-empty. By Lemma the reduced 
behaviour graph is empty and so there must be a node which can be deleted from G. 
If G has a terminal node n = (V, E) , let R be the set of step PLTL-clauses whose left 
hand sides are satisfied by V . Then, having deleted the next operator, the right- 
hand side of the PLTL-clauses in R form an unsatisfiahle set L of propositional 
clauses. By completeness of classical resolution again, there is a refutation of L. 
Choosing an element of R corresponding to each element of L, we can "mimic" this 
classical refutation by step resolution inferences to derive a step PLTL-clause 

lih...Mk^ Ofalse (14) 

where each U is a literal which is satisfied by V . The temporal resolution procedure 
allows us to rewrite PLTL-clause ( p^ ) as 

start -./i V . . . V ^/fc (15) 

true ^ 0(-'/i V . . . V -.Zfc). (16) 

By Lemma adding PLTL-clauses (|l5|) and (and any other resolvents derived 
along the way) to S produces a PLTL-clause set T whose behaviour graph H is 
a subgraph of G. [H is in fact a proper subgraph, since H has no node whose 
valuation is V . If n was an initial node it doesn't satisfy the initial PLTL-clause 



(15) as £ F for i — 1 . . .k. If n was a non-initial node, as the left hand side 
true is satisfied by every node in G the successor of any node must also satisfy 
(-iZi V ... V -iZfc)- As we have k ^ V for i = ... A: no edges can be drawn to n so H 
does not contain n.) Furthermore, T is well-behaved since it has exactly the same 
models as S. By induction, T, and hence S, has a refutation. 

If G does not have a terminal node, then it must contain a node n — {V, E) such 
that some eventuality I ^ E is not satisfied at any node reachable from n. Let iV 
be the set of nodes reachable from n. For each rii = {Vi, Ei) e N , let Ri be the set 
of step PLTL-clauses in S whose left-hand sides are satisfied by Vi. Let 

A, ^ OPz (17) 
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be an SNF,„ PLTL-clause that is the resuh of applying the SNF^ merging operation 
to the PLTL-clauses in Ri. Note Ai is the conjunction of the left hand side of the 
PLTL-clauses in Ri and Bi is the conjunction of the right-hand sides of the PLTL- 
clauses in Ri (contained in the next operator) and Vi satisfies Ai. Note Ai and Bi 
are simply classical propositional formulae. Then each Bi logically implies -1/ since 
none of the Vi in N satisfy I. Each rii ^ N leads to a node rij satisfying Bi for some 
i. Thus Hj must satisfy Bi A I or Bi A -iL By definition each successor of a node 
in N is also in N (as / is unsatisfied in all nodes reachable from nj. As Z is not 
satisfied by any node in N we have Bi A I is unsatisfiable and thus Bi -^l is valid 
(in classical propositional logic). 

Also each Bi logically implies the disjunction of the A^'s corresponding to the 
successors of rii. As each node rii G N leads to a node nj = {Vj,Ej) that satisfies 
Bi. By definition Uj <E N and Vj satisfies Aj. Thus Bi A ^ V/t ^fc is unsatisfiable. 
Hence Bi Yfc ^fc- Hence, we can use SNF„ PLTL-clauses of the form (0) m an 
application of temporal resolution. Let A be the disjunction of the Ai. Then each 
Vi satisfies -1/ A A. For each node Ui in N either there is a PLTL-clause C ^ ■(^l in 
S and the valuation at rii satisfies C, or for each predecessor pi of Ui the valuation 
at Pi satisfies wi . 

Let T be the result of adding the loop resolvents (p^, ( |Tl| ) and ( |l^ from § 4.3 



and let H be the behaviour graph for T. Then H has no nodes from the set N. 
So iJ is a proper subgraph of G by Lemma ^ and T is well-behaved by Lemma ^. 
Once again, it follows by induction that there is a refutation for S. □ 

6.4 Termination 

Theorem 5 The resolution algorithm will terminate. 
Proof 

Following the translation to normal form the set of PLTL-clauses is augmented so 
no new proposition symbols are required during the proof. Hence we have a finite 
number of proposition symbols. Further, there arc a finite number of right and 
left hand sides we may obtain as initial and step PLTL-clauses modulo ordering of 
the conjunctions or disjunctions. Simplification rules mean that the left or right 
hand sides cannot grow indefinitely. Note that the number of sometime PLTL- 



clauses does not change. Thus step (3) of the algorithm in §L4 either generates 
start false and terminates or we have tried to resolve each PLTL-clause with 
every other and obtained no new PLTL-clauses i.e. something that isn't in the set 
already (modulo ordering of conjunctions/disjunctions). 

The argument is similar for the termination of step 5. Having augmented the 
set of PLTL-clauses with the new proposition symbols needed to translate resol- 
vents from temporal resolution into SNF, at some point no new resolvents will be 
generated as we have a finite set of possible PLTL-clauses. □ 



7 Complexity 

We consider the increase in number of proposition symbols and PLTL-clauses gen- 
erated by the translation to SNF followed by consideration of the complexity of the 
resolution proof method. 

7.1 Translation to the normal form 

We consider two aspects of the complexity of translating an arbitrary formula to 
SNF in detail, namely the maximum number of SNF PLTL-clauses generated from 
a formula of a given size, and the number of new proposition symbols introduced. 
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Note in this section we do not include the new wi proposition symbols as we consider 
this to be part of the resolution method itself. 



7.1.1 Number of PLTL-clauses generated 

We define the length Men' of a formula A as follows. 



Ien(<>/) 


= 1 






I is a literal 


\en{li V ?2 • ■ ■ V /„) 
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h len 


[-A) 


+ len(-.B) 
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h len 


[A)^ 


len(B) 
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[-A) 


+ len(-.B) 
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h len 
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len(B) 


len(-.(AVB)) 
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h len 


[-A) 


+ len(-.B) 
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h len 


[A)^ 


len(i?) A and B not disjunctions 


\en{^{AAB)) 


= H 


h len 


[-A) 


+ len(-.B) 


\er\{AAB) 


= n 


h len 


[A)^ 


len(B) 


\en{^{A =^ B)) 


= n 


h len 


[A)^ 


len(^S) 


len(A ^ B) 


= n 


h len 


[-A) 


+ len(S) 



-ifalse 



Lemma 12 For any proposition symbol x and PLTL formula W , the maximum 
number oj PLTL-clauses, generated from the translation o/ ri [ O (x =^ W)], denoted 
by clauses(Ti[ □(a; ^ W)]), will be at most 11 x len(VF), i.e. 

clauses(ri[ □(a; ^ W)]) < (11 x len(M^)) 

Proof 

The proof is by induction on the length of W . The base case is where W has length 
1, i.e. it has the form <0>Z, /i V . . . V true, false, 0(^i V . . . V As illustrated in 
§ 3.2 ri[ □(cc =4> (^l)] produces one PLTL-clause, ti[ □(x (/i V. . .VZ„))] produces 
two PLTL-clauses and ti[ □(x => const)] produces two PLTL-clauses (where const 
is true, ^true, false or ifalse) and ri[ □(x 0('i V . . . V In))] produces one 
PLTL-clause. In each case if the number of PLTL-clauses produced is M, 

M < (11 X 1). 

For the inductive hypothesis we assume that the theorem holds for formula of le ngth 
n and examine each case for length n + 1. Again, by considering the proofs in §3.2, 
the maximum number of PLTL-clauses from removing any operator (or negated 
operator) is 11 (from ^{AW B)). 



clauses(Ti[ □(x 



clauses(Ti[ □(x 



<AWB))]) = 



[AWB])]) = 



ll+clauses(Ti[ □(y^ -.A)]) + clauses(Ti[ 0(2^ -.B)]) 
(11 + (11 X len(^A)) + (11 X len(^S))) 
ll(l + len(^A)-Hlen(^B)) 
11 X \en{-^{AWB)) 

6 + clauses(Ti[ □(?/ =^ A)]) + clauses(ri [ □ (z B)]) 
(6 + (11 X len(A)) + (11 x len(B))) 
11(1 + len(A) + len(S)) 
11 X \m{AWB) 
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clauses(Ti[ □(x ^ DA)]) 6 +clauses(ri [ □ (y ^ A)]) 

sc (6+ (11 X len(A))) 

^ 11(1 + Ien(^v4)) 

= llxlen(nA) 

clauses(ri[ □(x =^ (-. DA))]) = 1 + clauses(Ti [ □ (y ^ -.A)]) 

(1 + (11 X len(^A))) 
< ll(l + len(^A)) 
= llxlen(^nA) 

The cases for the other operators are sniiilar. □ 

Theorem 6 For any PLTL formula W , the maximum number of PLTL-clauses 
generated from the translation into SNF will he at most 1 + (11 x len(Vl^)), i.e 

clauses(ro[M^]) s$ (1 + (11 x \en{W))) 

Proof 

Let be a PLTL formula. To transform it into SNF we apply the tq transformation 
i.e. 

tq[W] ^Tl[U{x^W)]^ □(start ^ x) 

From Lemma |l^ we know the maximum number of PLTL-clauses from ri [ O (a; ^ 
W)] is 11 X len(W^); hence, the maximum number for the translation of is 1 + 
(11 X len(VF)). □ 



7.1.2 Number of new proposition symbols generated 

Lemma 13 For any proposition symbol x and PLTL formula W , the maximum 
number of new proposition symbols generated from the translation of Ti[\Z\{x => 
W)], denoted by props(ri[ □(x W)]), will be at most 4 x len(T/F),, i.e. 

props(Ti[ □(x ^ W)]) (4 X len(P^)) 

Proof 

The proof is by induction on the length of W . The base case is where W has 
length 1, i.e. it has the form (}l, /i V ... V /„, true, false, 0(^i V . . . V In). Each 
of these produces no new proposition symbols so as ^ (4 x 1) we are done. For 
the inductive hypothesis we assume that the theorem holds for formulae of length 
n and examine each case for length n + 1. Again we examine some of the cases 
involved. 

props(ri [U{x ^ ^{AW B))]) = 4+ props(Ti [ □ (y ^ ^A)]) + props(ri [ □ (z ^ -B)]) 

(4+ (4 X len(^A)) + (4 X len(^B))) 
= 4(1 + len(^A) + len(^B)) 
= 4 X len(^(yl>VB)) 

props(ri[n(x^ (AWB))]) = 3 + props(Ti[ □(?/ ^ A)]) + props(Ti[ 0(2 ^ B)]) 

(3 + (4 X len(A)) + (4 X len(B))) 
^ 4(1 + len(A) + len(B)) 
= 4xlen(A>VB) 

props(Ti[n(x^ (D^))]) = 2 + props(Ti[n(y^ A)]) 

(2+ (4 X len(yl))) 
< 4(l + len(A)) 
= 4xlen(nA) 
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props(ri[n(x=» (-DA))]) = 1 + props(ri [ □ (y ^ -A)]) 

s; (1 + (4 X len(^/))) 
< 4(l + len(^)) 
= 4xlen(^nA) 

The cases for the other operators are similar. □ 

Theorem 7 For any PLTL formula W , the maximum number of new proposition 
symbols, N , generated from the translation into SNF will be at most l + (4x len(M^)), 
i.e 

TV < 1 + (4 X \en{W)) 

Proof 

Let be a PLTL formula. To transform it into SNF we apply the To transformation 
i.e. 

tq[W] =Ti[U{x^W)]h □(start ^ a;) 

From Lemma ^ we know the maximum number of new proposition symbols from 
Tii n(a; W)] is 4 X len(PF). Hence the maximum number for the translation of 
is 1 + (4 X len(VK)). □ 

7.2 Step Resolution 

Both forms of step resolution are essentially equivalent to classical resolution, for 
example the derivation of O false on the right hand side of a step PLTL-clause 
is essentially a classical resolution proof on the clauses of the right hand side of 
(a subset of) the step PLTL-clauses. The complexity of this phase of the method 
is equivalent to the complexity of carrying out several classical resolution proofs 
on (simple translations of) the SNF PLTL-clauses. Indeed, one approach to the 
practical mechanisation of step resolution has been to translate the SNF PLTL- 



clauses in to a form suitable for a classical resolution theorem prover [Dixi 



7.3 Temporal Resolution 

In order to consider the complexity of the temporal resolution phase, we describe a 
(naive) algorithm to find PLTL-clauses with which to apply the temporal resolution 
operation. 

7.3.1 A Naive Algorithm for Loop Detection 

Given a set of m step PLTL-clauses, i?, and an eventuality •v>^ from the right-hand 
side of a sometime PLTL-clause, we carry out the following. 

1. Construct the set of merged-SNF PLTL-clauses for the SNF PLTL-clauses in 



i?, i.e. apply the merged-SNF operation in §3.1 to each set of PLTL-clauses in 
each member of the powerset of R obtaining the set of (SNF„i) PLTL-clauses, 
R*. 

2. Delete any PLTL-clause Xi => OYi in R* such that it is not the case that 
Y, -nl. 

3. Delete any SNF^ PLTL-clauses, Xi =^ QYi in R* such that it is not the case 
that 

Y^^yx, 

3 

where Xj is the left-hand side of PLTL-clause j in R* . 

4. Repeat 3 until no more SNF„j PLTL-clauses can be deleted. 
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7.3.2 Correctness of Naive Algorithm 

Theorem 8 Given a set of step PLTL-clauses R and an eventuality there is a 
loop in -^l within R if, and only if, the above algorithm outputs a non-empty set of 
PLTL-clauses L' . 

Proof 

Consider a loop L in -^l formed from tlie set of PLTL-clauses R. Let the disjunc- 
tion of tiie left-iiand side of the SNFm PLTL-clauses in L be X. As L is a loop the 
right-hand side of each SNF„i PLTL-clause in L implies both -^l and X. Assume 
there are n SNFm PLTL-clauses in L. Each SNFm PLTL-clause (or an equivalent 
SNFm PLTL-clause) in L must be in the set R* before deletions as L has been made 
by combining PLTL-clauses in R. 

We next consider the deletion of any SNF^ PLTL-clause in L from R* . Step 
2 of the algorithm will not remove any of the SNF^ PLTL-clauses in L from R* 
as it removes SNF^ PLTL-clauses whose right-hand side do not imply -^l but, by 
assumption, each SNF^ PLTL-clause in L has a right-hand side that implies -iZ. 
Assume we are about to remove a SNF^ PLTL-clause P ^ OQ, contained in L 
from the set R* using step 3 of the algorithm. Let Y be the disjunction of the 
left-hand sides of the SNF„i PLTL-clauses remaining undeleted in R* that are not 
in L. Thus P ^ OQ is being deleted as it is not the case that Q => X \/ Y. 
However we know that Q ^ X, as L is a loop, so Q ^ X\/Y must also hold giving 
a contradiction. Hence none of the SNF^ PLTL-clauses in L can be deleted from 
R* so the algorithm must return a set of SNF,„ PLTL-clauses containing L. 

Consider any set of SNF^ PLTL-clauses L' output by the algorithm. Each 
SNFm PLTL-clause has been made by combining PLTL-clauses in R. Each right- 
hand side implies -iZ otherwise it would have been deleted by step 2 of the algorithm. 
Each right-hand side implies the disjunction of the left-hand side of the set of SNF,„ 
PLTL-clauses otherwise it would have been deleted by step 3 of the algorithm. The 
set of SNFm PLTL-clauses satisfies the side conditions for being a loop, hence this 
loop can be constructed by combining the relevant PLTL-clauses in R. □ 



7.3.3 Complexity of the Naive Algorithm 

Next we consider the complexity of detecting a set of PLTL-clauses in the way 
outlined above. We assume a set of m step PLTL-clauses containing n proposition 
symbols. The cost of combining the set of PLTL-clauses R is 2™. To check that the 
right-hand side of each PLTL-clause implies -^l we must check a truth table with 
2"-i lines. Thus for 2™ PLTL-clauses we must check in total 2"'^ x 2™ = 2"+"-^ 
lines. For step 3 the worst case is if one PLTL-clause is deleted from the set during 
each cycle of deletions until all the PLTL-clauses are deleted. We must check each 
PLTL-clause implies the disjunction of the remaining left-hand sides, i.e. for each 
right-hand side checked we must consider a truth table with 2" lines. Thus, to check 
each PLTL-clause once has complexity of order 2™ x 2" — 2™+", and to carry out 
2™ rounds of checking we require 2^™+". Hence, the complexity of applying the 
resolution rule once is of order 2^™+". 

This gives the worst case bound for any loop checking algorithm. Refined approaches 
to finding loops only improve the average performance 



Dix96|, Dix98|. 



7.4 Complexity of the Temporal Resolution Method 

We consider the complexity of the whole method by looking at the behaviour graph 
used in the proof for completeness of temporal resolution. Ass ume we have n propo- 
sition symbols (including those added for augmentation see §3.1) and r eventual- 



33 



ities. Deletions in the behaviour graph represent either a series of step resolution 
inferences or a temporal resolution inference. 

The deletion of a terminal node (and edges into it) corresponds to construction 
of a PLTL-clause A ^ O false, i.e. complexity of a classical resolution proof. The 
deletion of a terminal subgraph (one or more nodes) with p an unsatisfied eventuality 
corresponds to temporal resolution (with complexity 2^™+" for m PLTL-clauses) . 
The worst case is if we have to delete each node separately i.e. the worst case 
complexity is the number of nodes multiplied by, the maximum of the complexity 
of a temporal resolution step and the complexity of classical resolution, plus the 
complexity of classical resolution (i.e. resolution between start PLTL-clauses to 
finish the proof). Although the number of PLTL-clauses we have may change at 
each step, the worst case number of PLTL-clauses is 2^", i.e. 2" possible left hand 
sides and 2" possible right hand sides. Recall that nodes in the behaviour graph 
are pairs (V, E) where ^ is a valuation of the proposition symbols in the PLTL- 
clause set and E is a subset of the eventualities. Thus the number of nodes in the 
behaviour graph 2" x 2^ (where r ^ 2n), i.e. at worst 2'^". Thus complexity is of 
the order 2^" x 22'"+'+" = 2^""^"+^". 

We note that the complexity of satisfiablility for PLTL is PSPACE complete 
|SC8|. The complexity fo r the r esolution methods in |AM85| , |CFdC84| , |Ven86 | 
and the tableau method in [ Gou84| is n ot discussed in the relevant papers, but the 
complexity for Wolper's tableau [ Wol83 | is given as exponential in the length of the 
initial formula. 



8 Related Work 

We consider three resolution based approaches for PLTL (or similar languages) and 
then several implemented methods for PLTL. 

8.1 Resolution Methods for PLTL 
8.1.1 Venkatesh 



Venkatesh |Ven86| describes a clausal resolution method for PLTL for future-time 
operators including U . First, formulae are translated into a normal form containing 
a restricted nesting of temporal operators. The normal form is 



where each Ci and (known as clauses) is a disjunction of formulae of the form 
O'^^, O*" n^, 0'^(}l or Qi^{l'Ul) (known as principal terms) for I and V literals, 
fc ^ and O*" denoting a series of k O-operators. 

The clauses in the normal form therefore either apply to the first moment in time 
or to every moment in time (those enclosed in a □ -operator). Resolution proofs are 
displayed in columns separating the clauses that hold in each state. To determine 
unsatisfiability, the principal terms (except 0*^0 i"^ each clause are unwound to split 
them into present and future parts. For example the clause F V (}l is replaced by 
FV IV O'C'l and similarly for O and U . Next, classical style resolution is carried 
out between complementary literals relating to the present parts of the clauses in 
each column or state. Then, any clauses in a state that contain only principal terms 
with one or more next operators are transferred to the next state and the number 
of next operators attached to each term is reduced by one. This process is shown 
to be complete for clauses that contain no eventualities. Formulae that contain 
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eventualities that are delayed indefinitely due to unwinding are eliminated and this 
process is shown to be complete. 

This system makes use of a normal form which at the top level is similar to 
ours, i.e. there are clauses that relate to to first moment in time (as do our initial 
PLTL clauses) and to every moment in time (as our step and eventuality PLTL- 
clauses). Venkatesh uses renaming to remove any nesting of operators, as we do 
here, to rewrite into the normal form. Thus, as with our system, new propositions 
are introduced into the normal form. The main difference is that Ventatesh does 
not remove the temporal operators □ and hi . 

Our initial step resolution can be compared with the resolution of complemen- 
tary literals in the first state and step resolution is comparable to resolution of 
complementary literals in other states. 

The main difference is the treatment of eventualities. The system described in 
this paper looks for sets of formulae with which to apply the temporal resolution 
rule to generate additional constraints that must be fulfilled. Venkatesh looks for 
persistent unfulfilled eventualities. In many ways the Venkatesh system behaves 



like a temporal tableau system Wol83, Gou84 but classical resolution inferences 



are applied within states. Repeated states containing persistent eventualities are 
identified and the unresolved eventualities eliminated, similar to the check for un- 
satisfied eventualities in temporal tableau. 

The overall approach to the system described in this paper generates constraints 
until we obtain a contradiction in the initial state start => false. Venkatesh's 
approach reasons forward carrying clauses that are disjunctions of terms involving 
one or more next operator to the next moment, having deleted a next operator. This 
forward reasoning approach seems similar to the work on the executable temporal 



logics MetateM |BFG+96 



8.1.2 Cavalli and Farinas del Cerro 



A clausal resolution method for PLTL is outlined in | CFdC84 |. The temporal 
operators defined in the logic include O , D , and <0> but do not include U . The 
method described rewrites formulae to a complicated normal form and then applies 
a series of temporal resolution rules. 

A formula, F, is said to be in Conjunctive Normal Form (CNF), if it is of the 
form 

= Ci A C2 A . . . A C„ 
where each Cj is called a clause and is of the following form. 

Cj = Li V L2 V . . . V L„ V □£>! V □D2 V ... V HDp 
V <)Ai V <)A2 V ... V <)Aq 

Here each Li is a literal preceded by a string of zero or more O-operators, each Di 
is a disjunction of the same general form as the clauses and each Ai is a conjunction 
where each conjunct possesses the same general form as the clauses. The resolution 
operations are split into three types, classical operations, temporal operations and 
transformation operations. The former applying the classical resolution rule and 
classical logic rewrites, the latter two required for manipulations of temporal oper- 
ators. For example a temporal operation is of the form that \Z\x and (}y can be 
resolved if x and y are resolvable and the resolvent will be the resolvent of x and y 
with a <^-operator in front. 

Formulae are refuted by translation to normal form and repeated application of 
the inference rules. Resolution only takes place between clauses in the context of 
certain operators outlined in the resolution rules. 
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The method is only similar to our method as it uses translation to a clause form, 
although the normal form is much more complicated. The rules required to rewrite 
formulae into the normal form depend on temporal theorems and classical methods. 
Renaming and the introduction of new proposition symbols is not required. 

The temporal and transformation operations take account of the temporal oper- 
ators to make sure that contradictory formulae occur at the same moment in time. 
In our system this is done by translating to the normal form followed by initial and 
step resolution. Several operations are defined to deal with eventualities, for ex- 
ample the temporal operation given above, whereas we have just the one temporal 
resolution rule. The following complex transformation operation can be applied to 
an eventuality and is required to deal with the induction between □ and O 

T,3{0E, F) ^ Ey OEW ... 0"^^E V Sj(<>(-£; A O-^; A ... A O""^-^; A O"^^), F) 
And if £; V O-B V . . . O'^-^E or i<>i^E A O-^^ A ... A O""^-^^ A O"^^), F) is resolvable 

then {(}E, F) is resolvable. 

where denotes the further application of a classical, temporal or transformation 
operation and O"^^ denotes a string of n — 1 next operators. The method is 
only described for a subset of the operators that we use, i.e. a less expressive logic. 
Further, the completeness proof is only given for the {}, and O operators. An 
implementation of the method has been developed however it is not clear when to 
apply each operation to lead towards a proof. 



8.1.3 Abadi 



Non-clausal temporal resolution systems are developed for propositional |AM85| 
and then first-order temporal logics [AM9C] that are discrete and linear and have 
finite past and infinite future. The systems are developed first for fragments of 
the logic including the temporal operators O , CH , and (} and then extended for 
O, n, C', VVB and V. The binary operator V is known as precedes where uVv — 
-n{{^u)Wv). 

Because the system is non-clausal many simplification and inference rules need 
to be defined. The resolution rule is of the form 



A < u, . . . ,u >,B < u, . . . ,u > — > A < true > V B < false > 

where A < u, . . . ,u > denotes that u occurs one or more times in A. Here occur- 
rences of u in A and B are replaced with true and false respectively. To ensure the 
rule is sound each u that is replaced must be in the scope of the same number of 
O-operators, and must not be in the scope of any other modal operator in A or B, 
i.e. they must apply to the same moment in time. Other rules such as distribution 
and modality rules allow the format of the expression to be changed, for example 
the n-modality rule allows any formula Dm to be rewritten as it A O \Z\u. 

The induction rule deals with the interaction between O and O and is of the 
form 

w, (}u — > ^{^u A 0(u A -iw)) if I <{w A u). 

Informally this means that if w and u cannot both hold at the same time and if w 
and {}u hold now then there must be a moment in time (now or) in the future when 
u does not hold and at the next moment in time u holds and w does not. Both 
systems are shown complete. A proof editor has been developed for the propositional 
system with the CD, and (} operators. 

As there is no translation to a normal form many rules need to be specified to 
allow for every different combination of operators. The resolution rule only allows 

^ Abadi denotes W , unless (or weak until), as U . 
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resolution of formulae within the same number of next operators and can perhaps be 
compared with our step resolution rule except, due to our uniform normal form, our 
step resolution rule is much easier to apply. Finally the rule that corresponds with 
our temporal resolution rule is the induction rule. This rule can only be applied if 
a complex side condition is checked. 

Although a proof editor has been developed for the restricted propositional sys- 
tem it seems unlikely that Abadi's system lends itself to a fully automatic im- 
plementation. This is because of the large number of rules that may be applied. 
Further, the induction rule requires a proof as a side condition to its usage which 
will make automatic proofs difficult. The implementation of the induction rule is 
not discussed. The temporal resolution rule we have described in this paper is 
also complex, however we have considered its implementation in |Dix96, Dix98| and 
developed a fully automatic prototype theorem prover based on this. 



8.2 Implementations 

We now briefly mention several implementations available for linear time tempo- 
ral logics. The Logics Workbench JBH+|, a theorem proving system for various 



modal logics available over the web, has a module for dealing with logics such as 
PLTL [ 5ch98 |. The implementation of this module is based on tableau with an anal- 
ysis of strongly connected components to deal with eventual ities. A tableau-based 
theorem prover for PLTL, called DP, has also been developed | Gou84| . Altho ugh no t 
dealing with temporal logics, tableau based methods are also used in FaCT [ Hor98 |, 
a description logics classifier with a sound and complete subsumption algorithm. 
Finally, the STeP system ||BBC+95| , based on ideas presented in |MP92| , |MP95| , 
and providing both model checking and deductive methods for PLTL-like logics, 
has been used in order to assist the verification of concurrent and reactive systems 
based on temporal specifications. 



9 Summary 

In this paper we have described, in detail, a clausal resolution method for proposi- 
tional linear temporal logic (PLTL), and have considered its soundness, complete- 
ness, termination and complexity. The method is based on the translation to a 
concise normal form, and the application of both step resolution (essentially clas- 
sical resolution) and temporal resolution operations. Since temporal logics such as 
PLTL are useful for describing reactive systems, the resolution method has a variety 
of applications in verifying properties of complex systems. We believe that this res- 
olution system can form the basis of an efficient temporal theorem-proving system 
that can out-perform other systems developed for such logics. However, there is 
still work to be done in order to realise this. 



9.1 Future Work 



A prototype version of this system has been implemented in Prolog, primarily to 
test the loop search algorithms required for the temporal resolution rule |Dix96|. 
A more refined C-l — h version, known as Clatter, is currently under development. 
Both these systems utilise the fact that step resolution is very similar to classi- 
cal resolution and consequently use a resolution theor em pro ver for classical logic, 
namely Otter, to implement this part of the system [ DixOC | . 

The normal form used in this paper (SNF) has b een extended to apply to other 
logics such as branching-time temporal logics [ BF97| an d multi- modal logics involv- 
ing both a temporal and a modal dimension [DFW98|. Much of our current work 
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involves extending the clausal resolution approach to a wider variety of temporal 
and modal logics. In each of these logics, not only must a version of SNF be de- 
fined, but specialised resolution operations must be developed dependent on the 
properties of the logic in question. 

Just as strategies for classical resolution have been successful in improving efh- 
ciency, we aim to develop similar strategies for temporal resolution. In particular, 
we are interested in the most efficient way to apply the resolution operations in 
order to reduce the number of resolution inferences that are m ade that do not con- 
tribute towards finding a proof. The work described in [ DF98 | outlines preliminary 
steps in the definition of a temporal set of support. The set of support strategy for 
classical resolution restricts the number of resolution inferences that can be made. 
Inferences can only be made where one of the clauses being resolved is from a subset 
of the full clause set known as the set of support. Thus if we are asked to prove that 
B is a logical consequence of A (or A\- B) in resolution we would try show A A -^B 
is unsatisfiable. To use the set of support strategy the clauses derived from A are 
separated from those derived from -i_B, the latter being put into the set of support. 
Thus resolution inferences between two clauses derived from A are avoided. We are 
also developing and applying a modified resolution operation that can be used in 
a more flexible way, and also can be used with strategies such as set of support. 
Initial results can be found in |FDOC]. 

Finally as efficient subsets of classical logic, such as Horn clauses, have been 
investigated we hope to define restrictions on the normal form that allow temporal 
resolution to be carried out more efficiently and investigate the classes of problem 
these subsets correspond to. 
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